The Economist on the Cyber Security Industry

For a non-technical publication they have managed to give some great insight into the reasons why the security industry has a problem.

The article calls out how profitable it is for hackers to exploit a vulnerability, and how high tech companies value growth over everything else, even security.

For those that don’t read it, The Economist, when you distill it down, is a publication written about making money.

The fact that cyber security makes the front page, and in two full articles, is a pretty big deal economically speaking and the gloomy prediction is troubling. The Economist has often been criticized for rarely seeing a political or economic problem that cannot be solved by the three card trick of privatization, deregulation, and liberalization. Given that the IT industry is probably the most privatized, least regulated, and arguably most liberal of industries, I can see why they might be struggling to see how we can move forwards, I think this is the first time I have read The Economist advocating more regulation of an industry.

For a non-technical publication they have managed to give some great insight into the reasons why the security industry has a problem, in the article headed “Why everything is hackable”.

What’s The Point?

Complexity is increasing the attack surface. The article calls out the size of computer code, and the vulnerabilities introduced as separate companies across the globe have to work together, which results in security issues inevitably falling through the cracks.

The economics for the attacker are good. They call out how profitable it is for the bad guy to exploit a vulnerability. With the availability of ransomware kits, initial investment is low, and the potential revenue generation is high. Accurate numbers are hard to gather, but most agree it is now a billion-dollar industry.

The economic incentives of the computer business. The article calls out that high tech companies value growth over everything else, and there is a mentality of “Ship it on Tuesday, fix the security problems next week – maybe.” I sadly have to agree, I have spent my career in a number of high-tech start-ups, and with the notable exception of Bromium, never has security been mentioned at any of them.

The industry is well aware of the problems that The Economist has outlined, and there are a number of companies and research projects out there trying to solve it.

Hardware isolation can change everything.

Computer programs are not suddenly going to get any smaller, large line counts adds inevitable bugs and vulnerability. The article calls out hardware isolation techniques as a potential solution to this, by isolating a computer program and running it in a container at the hardware level the attack surface is greatly reduced, meaning that the vulnerabilities in the application no long become threat to the system as a whole.

CHERI is a cool research project in at Cambridge University near to where Bromium’s development team is based. The principle is to alter the CPU design to make software compartmentalization easier, effectively baking the security of reduced attack surface into the CPU. This is really exciting, but there is no reason to wait for this to become a commercial reality to benefit from the principles. Intel introduced VT into their CPUs in 2006 and both AMD and ARM offered similar support later; this technology completely isolates the memory between virtual machines preventing one instance of a virtual machine being able to attack another. VT is now a very mature feature of the chip set, and the core principle behind which Bromium’s isolation and Microsoft’s soon to be released WDAG are built on.

Through widespread adoption of technologies like hardware isolation the industry can make a significant impact on the economics of cyber-attacks. As it becomes harder to find vulnerabilities it becomes more expensive to attack an organisation and as such less profitable. Over time criminal organisations will move on to find something else more cost effective.

Retrospectively adding security to a large and complex code base is extremely expensive, in some cases technically unfeasible. While I would always advocate companies take the time to make their applications secure from first principles the reality is this will not be practical for many existing applications. Hardware isolation allows a company to apply solid security to an existing application which reduces the damage the existing vulnerabilities in that application can do. This makes security more cost effective to apply and so more likely that it will be done.

A real world example.

For Microsoft office applications, macros have been a significant vulnerability, and it would be extremely difficult and expensive for Microsoft to make them more robust. If you want to read up on a recently discovered office zero day then take a look at my colleague Bill Hackley’s post. So far the only solution offered by Microsoft has been to disable macros, this slows legitimate use cases, but the bad guys have gotten better at social engineering users into enabling the macro, so it really hasn’t helped.

With office isolated through Bromium macros can be on in the full insecure glory, and should they do anything bad it will be contained within the document. Adding Office support to Bromium was significantly cheaper than it would be for Microsoft to fix all the vulnerabilities in the existing code base. Microsoft agrees with this principle which is why for Edge they are moving to hardware isolation in the form of WDAG later this year.

The Economist is right that cyber security is a serious problem and while it might have been excusable to overlook it when the Internet was new this is no longer the case. However technology is fast to adapt, and with techniques like hardware isolation the economics of cyber-attacks can be broken.

James Wright is Senior Director of Engineering at Bromium and responsible for the delivery of Bromium's end point security products. He lives in Cambridge and enjoys technology, music, cycling and writing about himself in the third person. You can find out more about him on LinkedIn.